Etsy joins bug bounty crew

Powered by SC Magazine
 

Offers $500 minimum, a t-shirt and a high-five.

Online art and clothing store Etsy has opened a bug bounty program that would reward security researchers for reporting vulnerabilities found on the website.

The company would offer a minimum of $US500 ($A479) for bugs and more for “distinctly creative or severe security bugs”. It did not state a maximum payout.

It would accept web application vulnerabilities such as Cross Site Scripting and Cross-site request forgeries, authentication issues, remote code execution, and authorisation problems within Etsy.com, the site’s application programming interface, and its mobile application.

“This means please do not test for: spam, social engineering, or denial of service vulnerabilities,” it said in a statement.

“You also must not disrupt any service or compromise anyone’s data.”

It said bug bounties were “industry best practice”.

The bug bounty program follows the company's publication of responsible disclosure policies in April that eliminated fear of legal action in response to unauthorised security tests and encouraged researchers to report vulnerabilities.

Those who previously reported flaws will be paid under the new program.

Etsy is the latest in a string of companies including Google, Mozilla, Facebook and Samsung prepared to shell out for privately-disclosed vulnerabilities.

PayPal began offering a similar option in June after the company’s chief security officer Michael Barrett changed his tune on paying for vulnerabilities.

Google paid out $2 million in bounties at the Malaysian Hack in the Box conference, including $60,000 for researchers who pull off a "full Chrome exploit", which involves an attack that leverages only vulnerabilities in the Chrome browser. 

It paid $50,000 for a "partial Chrome exploit", which requires the use of bugs in third-party software.

But Microsoft considers bug bounties superfluous. Its security response centre was inundated with free vulnerability reports from researchers looking for fame, not fortune. Up to 80 percent of Microsoft vulnerabilities were privately and freely reported.

Redmond has instead chosen to pay up to $20,000 under its BlueHat competition to researchers who create defensive technologies which block a class of exploits.

Copyright © SC Magazine, Australia


Etsy joins bug bounty crew
 
 
 
Top Stories
Australia passes data retention into law
Mammoth last-ditch effort by Greens, indies knocked back.
 
Turnbull introduces bill to block piracy websites
Takes ownership of legislation from Brandis.
 
ATO to kill off e-Tax
Veteran software to be replaced by more modern myTax.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest articles on BIT Latest Articles from BIT
Xero now includes an inventory function built-in
Mar 26, 2015
Xero has added inventory and other major new features to the latest release of its cloud ...
Apple reveals its new MacBook
Mar 13, 2015
Replacing the MacBook Air as Apple's thinnest laptop, the new MacBook comes packed with features.
Xero has released a new version of its app for the iPad
Mar 6, 2015
iPad-wielding Xero users can now take advantage of a new version of the iOS app for the cloud ...
Microsoft is offering Azure for Disaster Recovery to Australian SMBs
Feb 10, 2015
If you haven't talked to your IT provider about disaster recovery, it might be worth discussing ...
The 2015 Xero Roadshow is on: here are the locations and dates
Feb 6, 2015
The 2015 Xero Roadshow kicked off this week - see where you can attend at locations around ...
Latest Comments
Polls
Do you support the Government's data retention scheme?

   |   View results
Yes
  8%
 
No
  92%
TOTAL VOTES: 1327

Vote